James Bercegay of the GulfTech Security Research Team discovered that WordPress insufficiently checks data passed to the XML-RPC server. He also discovered that WordPress has several cross-site scripting and full path disclosure vulnerabilities.

Impact

An attacker could use the PHP script injection vulnerabilities to execute arbitrary PHP script commands. Furthermore the cross-site scripting vulnerabilities could be exploited to execute arbitrary script code in a user's browser session in context of a vulnerable site.